Network overload detection and mitigation system and method

ABSTRACT

Systems and methods are provided for detecting and mitigating overload conditions affecting one or more computers attached to a network, such as overloads resulting from distributed denial of service (DDoS) attacks, for example. According to some described embodiments, an attempted overload condition is detected, e.g., by a system, through following a method, or both, within a data cleaning center. Detection may be achieved, e.g., by analyzing data packets traveling over the network to identify packets that bear characteristics that may be associated with DDoS attacks, and this analysis may include examination of the packets&#39; data payloads. Mitigation, in turn, may include discarding some data packets, redirecting network traffic, or some combination thereof.

FIELD OF THE INVENTION

This invention relates to a system and method for preventing distributeddenial of service (DDoS) attacks, or the like, via a network, such asthe Internet. In particular, the invention relates to a data cleaningcenter having attack detection and/or mitigation modules that provideDDoS attack-free data to back-end servers.

BACKGROUND OF THE INVENTION

During the past few decades, the Internet has provided a convenient wayto obtain a wealth of information on almost any subject. Many paid andfree information services may be offered over the Internet, includingelectronic mail, home shopping, gaming, paperless billing services, andthe like. Users merely need to obtain a web page address or uniformresource locator (URL) for the service they desire.

In this regard, commercial revenue for Internet-based operations hassteadily increased, even for those companies that offer their Internetservices for free. The companies that offer free services may obtainrevenue from related non-Internet services offered to their customers orthrough advertising on their web site. For example, many banks offerfree on-line banking services to their account holders. Further, themost popular Internet search engine providers charge for advertising ontheir search engine web sites, which are accessed by millions ofInternet users every day.

However, as the customer base for on-line services has growndramatically over the years, so have the opportunities for those whowish to engage in malicious activity targeting Internet web sites. Whatoriginated as several individuals, or hackers, breaking into systems forunauthorized viewing of information or sending individual virus attacksagainst selected systems just for the thrill of doing so, has evolvedinto extortion-based, multi-front, attacks on many systems or wholesub-networks within the Internet.

For example, many offshore extortionists have developed ways to extractsignificant revenue from companies located in multiple jurisdictions.These extortionists avoid prosecution by law enforcement by launchingtheir malicious attacks from countries in which they may avoidprosecution, either legally or practically. Further, the extortionistsmay obfuscate their identities by launching attacks from differentcomputers at different locations.

Typically, an extortionist pre-warns a web site owner before an attack,demanding that a sum of money is wired to an anonymous, foreign account.For example, in the case of a gaming web site, the extortionist may waituntil just before a significant event, such as an on-line pokertournament, or in the case of gambling, a major horse race, such as theKentucky Derby. An electronic mail message may be sent to the site ownerwith the warning and appropriate bank account information. If the siteowner does not pay the amount requested by the extortionist, then theextortionist may cause an attack to occur at the peak time for usage ofthe web site during the event. Still an attack may essentially shut downoperations for the site. Acknowledging that the threat is real, the siteowner will likely pay a potentially significant sum of money, ratherthan risk the loss of a significant profit obtained during the specialevent or peak time of the year.

The methods available to the extortionist are many. For example, onetype of malicious attack that may target a system is called adistributed denial of service (DDoS) attack. This type of attack isuniversally acknowledged as being one of the most troublesome types ofattacks of our time. A DDoS attack includes “flooding” a host computeror network with information. The flood of information can consume allavailable bandwidth of the host computer's or network's computingresources, thereby preventing legitimate network traffic from reachingthe host network and further preventing an individual user fromaccessing the services of the host network. More particularly, theattacker can consume bandwidth through a network flood either bygenerating a large number of data packets, which contain data exchangedover the Internet, or by generating a small number of extremely largepackets, directed to the target computer or network. Typically, thosepackets comprise Internet Control Message Protocol (ICMP) packets, UserDatagram Protocol (UDP) stream attack packets, TCP SYN flood packets, orpackets used in TCP based attacks such as GET flood attacks thattypically occur after handshaking is completed and a session is started.In principle, however, the packets can include any form.

The attacker can execute the flood attack from a single computer. Thiscomprises a non-distributed or conventional denial of service (DoS)attack. Alternatively, during a DDoS attack, the attacker coordinates orco-opts several computers on different networks to achieve the sameeffect. The attacker also can falsify (spoof) the source IP address ofthe packets, thereby making it difficult to trace the identity of thecomputers used to carry out the attack. Spoofing the source IP addressalso can shift attention onto innocent third parties.

An attacker also may execute a more defined attack using spoofed packetscalled a “broadcast amplification” or a “smurf attack.” In this commonattack, the attacker generates packets with a spoofed source address ofthe target. The attacker then sends a series of network requests usingthe spoofed packets to an organization having many computers. Thepackets contain an address that broadcasts the packets to every computerwithin the organization. Every computer within the organization thenresponds to the spoofed packet requests and sends data on to the targetsite. Accordingly, the target computer or network becomes flooded withthe responses from the organization. Unfortunately, the target site thenmay blame the organization for the attack.

Further, recent attacks have been launched against domain name service(DNS) servers. DNS servers are essential to the operation of theInternet, as they provide the key function of converting alphanumericdomain names, such as XYZ.com, into the number based Internet protocol(IP) addresses on which each Internet connection is ultimately based.Attackers have discovered a new way to bring down whole segments of theInternet by attacking the DNS servers themselves, instead of thecomputers that the IP addresses identify.

To date, systems for detecting and mitigating DoS or DDoS attacks havebeen few. Some prior systems or solutions have individually used orproposed different tools or software, sometimes in the form of so-calledfirewalls, in an attempt to combat such attacks. These tools or softwaremay include: systems that detect half-open connections that aretypically caused by many attacks; systems that compare headers ofpackets to specific, known flood attack headers; or systems that monitordata packet flow that is above average or that exceed variousthresholds.

However, while these prior systems have experienced some success, suchsuccess has been limited. For example, typical systems attempt toprevent attacks from one or more computers, each of which having onesource, and each targeted toward a single computer. These prior systemstypically require identification of the source computers involved in theattacks, as well as the target, to compare duplicate source and targetvalues to threshold values at the network or lower layers of the opensystem interconnect (OSI) model. If the attack detection tools aresuccessfully spoofed at lower levels of the OSI model, this leaveshigher levels of the OSI model, such as the application layer,vulnerable to subsequent attacks. This is true, because the priorsystems assume that the data passing through a connection is safe afterit has passed through the tools at the lower layers.

Thus, none of the prior systems provide for reliable universalprotection of many computer systems or nodes through one access point,regardless of the source and target of an attack. Further, none of theprior systems provide for reliable universal protection of severalcomputer systems or nodes at the same time, or after a connection hasbeen deemed as safe using typical tools at lower levels of the OSImodel.

Finally, none of the prior systems provide for reliable protection ofDNS servers to prevent whole networks from becoming non-operational.Accordingly, there is a need in the art for a system and method thatsolves the problems associated with such prior systems.

SUMMARY OF THE INVENTION

Briefly, and in general terms, a preferred embodiment relates to asystem and method for detecting and/or mitigating an overload conditionfrom one or more first computers, such as a distributed denial ofservice (DDoS) attack, viral attack or the like, targeting one or moreof a plurality of second computers located on a network. The network maycomprise any type of public or private network, such as the Internet,intranet, virtual private network (VPN) or the like. While one or moreDDoS attacks originating from the one or more first computers on thenetwork are mitigated, a meter, detection apparatus, software, ormethod, detects the condition being mitigated in a data cleaning center,and in one embodiment, it provides an alert or notification regardingthe mitigated attack.

A preferred embodiment comprises a data cleaning center, preferably as astand-alone node on the network, which has a network connection forreceiving a volume of data, and which may be measured as D_(in), over atime period, P_(in). The data may be received from, for example, one ormore first computers located on the network.

The overload condition is directed to one more of a plurality of secondcomputers located on the network. Typically, the second computers areserver computers, and the first computers are client or user computers.However, a preferred embodiment does not necessarily differentiatebetween client and server computers in detecting and mitigating theoverload condition. Thus, each of the first and second computers maycomprise a server, client, networked electronic device, or any type ofnetwork node. Sometimes, for example, an attempted overload condition inthe form of a SYN-flood attack may be launched from several differentcomputers, including servers and clients, that are unwittingly infectedwith a SYN-flood virus.

One embodiment includes one or more attack detection and/or mitigationmodules that are used for detecting and/or mitigating the attemptedoverload condition. One purpose of the attack detection and/ormitigation modules is to produce a volume of data that is free from thedata causing the overload or attempted overload condition, called cleandata, or D_(out), herein, for sending to the one or more secondcomputers. The amount or volume of the clean data may be measured asD_(out), over a time period, P_(out).

In one embodiment, a meter is included to perform the task of measuringD_(in) and D_(out) and for comparing such measurements to determinewhether the attempted or actual overload condition has been mitigated bythe attack detection and/or mitigation modules. The meter determinesthat such an attempted or actual overload condition directed toward oneor more of the second computers has been mitigated if D_(out) divided byP_(out) is substantially less than D_(in) divided by P_(in).

One embodiment includes an alert apparatus to provide an alert if themeter detects an overload or attempted overload condition. The alertapparatus may provide an electronic mail alert, an audible alert, avisible alert, or the like, if an attempted overload condition isdetected by the meter.

In one embodiment, the one or more attack detection and/or mitigationmodules include a module that determines whether a number of duplicateGET commands have been received that exceeds a threshold value. Anotherattack mitigation module may also include a module that determineswhether a user agent header entry in a packet header of a received datapacket contains an alphabetical character. If not, the data packet isdiscarded. Further, one attack detection/and or mitigation module isincluded that determines whether a host value header entry exists in apacket header of a data packet, and if not, discards the data packet.

Another preferred embodiment relates, in general terms, to a system andmethod for detecting and/or mitigating an overload or attempted overloadcondition targeting a domain name service (DNS) server. A networkconnection is provided for receiving one or more DNS requests from oneor more client computers located on a network. A preferred embodimentincludes a processor for providing a response to the one or more DNSrequests to the one or more client computers before normal processing bythe domain name server.

The added processor preferably executes processes used to detect whetherthe one or more DNS requests comprise an attempted overload conditionbefore allowing processing of the requests by the domain name server. Ifan overload or attempted overload condition is detected by theprocessor, then processing by the domain name server of the DNS requestsis performed by the processor. Specifically, the requests are divertedto the processor, which comprises high-speed application specifichardware that can process requests much faster than typical DNS servers.Once the overload condition or attempted overload condition hassubsided, processing of the requests are re-diverted back to the DNSserver.

Another preferred embodiment relates, in general terms, to a system andmethod for detecting and/or mitigating an attempted overload conditiontargeting a networked computer system by counting a number of duplicateGET commands received. A network connection is provided for receiving aplurality of data packets from one or more first computers located on anetwork, wherein the data packets include a plurality of GET commandsdirected toward one or more second computers located on the network. Anattack detection and/or mitigation module is provided that comprises amodule to compare the received GET commands, and to determine whether athreshold number of the received GET commands are duplicative. If thethreshold value is exceeded by the duplicate GET commands, then theattack mitigation module blocks or discards the duplicate GET commandsfrom processing by the one or more second computers.

Due to the large volume of GET commands that may be received, a databasefunction may be performed on the received GET commands to determine ifthe GET commands are duplicates. The database function may include ahashing algorithm applied to the GET commands to speed processing and touse less memory.

Another preferred embodiment relates, in general terms, to a system andmethod for detecting and/or mitigating an attempted overload conditiontargeting a networked computer system that checks the user agent headerentry of a packet header. A preferred embodiment includes a networkconnection for receiving a data packet having a packet header. An attackdetection and/or mitigation module is provided to determine whether auser agent header entry in the packet header contains an alphanumericcharacter. Thus, the attack detection and/or mitigation module discardsthe data packet if the user agent header entry contains anon-alphanumeric character. Further, patterns in the user agent entryand/or other header entries may be detected that may indicate an attack.

Another preferred embodiment relates, in general terms, to a system andmethod for detecting and/or mitigating an attempted overload conditiontargeting a networked computer system that checks the host value headerentry of a packet. A network connection is provided for receiving a datapacket having a packet header. An attack detection and/or mitigationmodule determines whether a host value header entry exists in the packetheader. The attack detection and/or mitigation module discards the datapacket if the host value header entry does not exist in the packetheader.

Another preferred embodiment relates, in general terms, to a system andmethod for detecting and/or mitigating an attempted overload conditiontargeting a networked computer system that checks line break indicatorsin packets. A network connection is provided for receiving a datapacket. An attack detection and/or mitigation module determines whetherthe data packet contains valid line break indicators. An example of anon-valid line break indicator is one that only contains one of acarriage return character (CR) or a line feed character (LF), and notboth. The attack detection and/or mitigation module discards the datapacket if the data packet does not contain a valid line break indicator.

Another preferred embodiment relates, in general terms, to a system andmethod for detecting and/or mitigating an attempted overload conditiontargeting a networked computer system that uses a redirection module todivert data until it is deemed to be clean. A network connection isprovided for receiving one or more initial data packets from one or morefirst computers for processing by a second computer. A redirectionmodule redirects the first computer to send the one or more initial datapackets to a third computer. An attack detection and/or mitigationmodule determines whether the one or more initial data packets are apart of an overload or attempted overload condition. The redirectionmodule then redirects the one or more first computers to send one ormore subsequent data packets directly to the second computer if theattack detection and/or mitigation module determines that the initialdata packets are not a part of an attempted overload condition.Otherwise, the data from the one or more first computers remainsredirected to the third computer. These and other aspects of theinvention will become apparent from the following more detaileddescription, when taken in conjunction with the accompanying drawings ofillustrative embodiments.

DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a data cleaning center according to anexemplary embodiment of the system and method for detecting and/ormitigating an overload or attempted overload condition;

FIG. 2 is a block diagram illustrating packet switching flow throughvarious hardware components of the data cleaning center according toanother exemplary embodiment;

FIG. 3 is a flow diagram illustrating the steps performed by one or moreembodiments of the data cleaning center;

FIG. 4 is a flow diagram illustrating a method performed by oneexemplary embodiment of an attack mitigation module for detecting anattack based on whether a suspect number of duplicate GET commands arereceived over a sample time period;

FIG. 5 is a flow diagram illustrating a method performed by oneexemplary embodiment of an attack mitigation module for detecting and/ormitigating an attack by discarding data packets that have packet headerswith a suspect user agent entry;

FIG. 6 is a flow diagram illustrating a method performed by oneexemplary embodiment of an attack mitigation module for detecting and/ormitigating an attack by discarding data packets that have packet headerswith suspect host value entries;

FIG. 7 is a flow diagram illustrating a method performed by oneexemplary embodiment of an attack mitigation module for detecting and/ormitigating an attack by discarding data packets that use improperend-of-line or return characters;

FIG. 8 illustrates a method for preventing an attempted overloadcondition targeting a networked computer system that lessens oreliminates the latency effect of using the data cleaning center, such asthat illustrated in FIG. 1;

FIG. 9 is a block diagram of a DNS protection system according to anexemplary embodiment; and

FIG. 10 is a flow diagram that illustrates a method preformed by the DNSprotection system.

DETAILED DESCRIPTION

A preferred embodiment of a system and method for detecting and/ormitigating an overload condition, constructed in accordance with theclaimed invention, provides detection and/or mitigation of an overloadcondition style attack from one or more first computers that target oneor more of a plurality of second computers located on a network. Suchattack includes, by way of example only, and not by way of limitation adistributed denial of service (DDoS) attack, viral attack or the like.The network may comprise any type of public or private network, such asthe Internet, intranet, virtual private network (VPN) or the like.

Referring now to the drawings, like reference numerals denote like orcorresponding parts throughout the drawing figures.

Referring now to FIG. 1, a preferred data cleaning center 100 isillustrated, according to an exemplary embodiment of the system andmethod for detecting and/or mitigating an overload or attempted overloadcondition (hereinafter “an attack”). In a preferred embodiment, the datacleaning center 100 operates as a stand-alone node on a network 10,which has a network connection 126 for receiving a volume of data, whichis measured as D_(in), over a time period, P_(in). The networkconnection 126 comprises a core edge aggregation router 102 to provide abackbone connection to the network 10. Core edge aggregation routers 102that are available from, for example, Juniper Networks or Cisco Systems,are able to provide Internet connections of 76 gigabits per second orlarger. In one embodiment, the data cleaning center 100 is configured toprovide attack free, or clean, data to hundreds or thousands of servers,a core edge aggregation router 102 having a capability in the 1 to 76gigabit per second range is desirable, although not necessary.

Through the network connection 126, data may be received from, forexample, one or more first computers 20 a, 20 b and 20 c located on thenetwork 10. Typically, the one or more first computers 20 a, 20 b and 20c comprise client computers or devices used by Internet users foraccessing one or more second computers 80 a, 80 b 80 c and 80 d alsolocated on the network 10. In one embodiment, it is preferable for alldata to pass through the data cleaning center 100. In other words, bothrequests and responses to and from servers preferably pass through thedata cleaning center 100.

Preferably, the data cleaning center 100 discards all data packets thatare a part of the received data, D_(in), that use User Datagram Protocol(UDP) or Internet Control Message Protocol (ICMP). This is performedbecause, presently, these are common protocols used to launch DDoSattacks against the second computers 80 a, 80 b, 80 c and 80 d. Further,many commercial networks do not need to use UDP and ICMP protocols. Thefiltering of UDP and ICMP packets may be performed by the core edgeaggregation router 102. However, if it becomes more common to use adifferent type of protocol to launch attacks against the secondcomputers 80 a, 80 b, 80 c and 80 d, then the core edge aggregationrouter 102 may be re-tuned to filter and discard data packets using suchprotocol. Alternatively, the core aggregation router 102 may discard alldata packets, except those having selected protocols, such asTransmission Control Protocol (TCP).

In one preferred embodiment, a core router 108 is provided that has orconnects to, an inbound access control list (ACL) 124 for sanitychecking, which typically includes confirming that the target node islisted in the ACL. Specifically, each incoming packet is preferablychecked against the ACL, which provides a list, or range, of valid IPaddresses for the second computers 80 a, 80 b, 80 c and 80 d serviced bythe data cleaning center 100. If a data packet is not directed to, orcoming from, an IP address contained in the ACL 124, it is discarded.

In a preferred embodiment, a meter 104 is either connected to the corerouter, or within the core router for measuring the received data,D_(in). The meter 104 preferably operates on a Unix-based platform orother platform, and preferably performs its measurement of the receiveddata, D_(in), from the core router 108 after the filtering of the UDPand ICMP data packets by the core edge aggregation router 102. However,in some embodiments it is desirable to include measurements of the UDPand ICMP data packets received by the data cleaning center 100. In thoseembodiments, the meter 104 is preferably connected to the core edgeaggregation router 102 instead of the core router 108.

After the core router 108 has completed its processing procedures, thereceived data, D_(in), is preferably further processed by one or moreattack detection and/or mitigation tools or modules 110 (referred toherein as attack mitigation modules). In one embodiment, the one or moreattack mitigation modules 110 are used to detect, mitigate, preventand/or suppress one or more DDoS attacks that originate from the one ormore of the first computers 20 a, 20 b and 20 c on the network 10, andare directed to the one or more second computers 80 a, 80 b, 80 c and 80d, located on the network 10.

Typically, the one or more second computers 80 a, 80 b, 80 c and 80 d atwhich an attack is targeted, are server computers, and the one or morefirst computers 20 a, 20 b and 20 c from which an attack originates, areclient or user computers. However, a preferred embodiment does notnecessarily differentiate between client and server computers indetecting and/or mitigating an attack. Thus, each of the first andsecond computers may comprise a server, client, networked electronicdevice, or any type of network node. Sometimes, for example, an attackin the form of a SYN-flood attack is launched from several differentcomputers, including servers, clients, company networks or sub-networksthat are unwittingly infected with a SYN-flood virus.

Furthermore, it may be desirable to detect and mitigate attacks usingmultiple different techniques. As such, some preferred embodiments usemore than one attack mitigation module 110. In some embodiments, theattack mitigation modules 110 are chained or combined, for example, byproviding a series of processors connected within a preferablyhigh-speed local fiber optic network, or attack mitigation pipe or loop150, within the data cleaning center 110. Preferably, the attackmitigation modules 110 are embodied in hardware, software, or via acombination of hardware and software.

There are several types of attack mitigation modules 110 that may beused in a preferred embodiment of the claimed invention. For example,many types of attack mitigation modules 110 are configured to detect aflood-type DoS attack, or DDoS attack. Some modules 110 perform thistype of detection by using statistical analysis on data packets D_(in)received from the network 10 to determine when the data packets varyfrom normal network traffic. Normal network traffic is determined basedon observations of network traffic for a particular network. Thresholdsfor abnormal network traffic may be established based upon theobservations and upon a balance between security level and falsepositive indications. An appropriate balance must be selected since alower threshold will likely result in higher security, but may causemore false positive indications of an attack. On the other hand, ahigher threshold can result in lower security, but with fewer falsepositive indications.

Preferably, after establishing the thresholds, the attack mitigationmodule 110 statistically analyzes the network traffic to determine whenthe traffic exceeds the thresholds. In this embodiment, if the trafficexceeds the thresholds, an attack is detected. After an attack isdetected, countermeasures can be initiated to block data packets from aspecific IP address. Additionally, countermeasures can be initiated toblock data packets to or from a common port, data packets having acommon protocol, and/or data packets having the same target ordestination IP address.

In some attack mitigation modules 110, a hash (or reduction) function isperformed on the data packets, the results of which are sorted in a hashtable. In such an embodiment, if the standard deviation of the entriesin the hash table meets a threshold value, then a network attack isdetected.

Preferably, some attack mitigation modules 110 can monitor a parametervalue, such as the protocols or protocol flags of network data packets.These modules preferably construct a histogram of the parameter value,and compare the histogram to a threshold value. In such an embodiment,if a portion of the histogram exceeds the threshold, then a networkattack is detected.

Another preferred attack mitigation module 110 monitors the ratio ofdata packets received and sent to a single computer. If the ratioexceeds a threshold value, then a network attack is detected.Alternatively, the attack mitigation module 110 may monitor, forexample, the ratio of traffic from a first computer (e.g., 20 a), to asecond computer; e.g., 80 b), over the traffic from the second computer80 b to the first computer 20 a. If the ratio exceeds a threshold value,then an attack may be detected, and the traffic between the firstcomputer 20 a and second computer 80 b may be discarded.

In another aspect of a preferred embodiment, another attack mitigationmodule 110 determines whether the attack was initiated from a singlesource computer 20 a, or determines whether data packets included in anattack have a common port or protocol. If the attack was initiated froma single source computer 20 a, then all data packets having the sameattacking source IP address can be discarded. Additionally, if theattack was initiated by data packets having a common port or protocol,then all data packets having the common port or protocol can bediscarded. Preferably, the attack mitigation modules 110 use otheridentifying information, such as the destination address, thedestination port, or the content of the data packet itself, to determinewhether a data packet should be discarded.

Additionally, in another preferred attack mitigation module 110, themodule detects an attack by determining whether a number of duplicateGET commands have been received that exceeds a threshold value. If thethreshold value is exceeded, then the duplicate packets are discarded.This module is described in more detail below.

Yet another preferred attack mitigation module 110 detects an attack bydetermining whether a user agent header entry in a packet header of areceived data packet contains an alphabetical character. If analphabetical character is not detected, the data packet is discarded.This module is described in more detail below.

Still another preferred attack mitigation module 110 detects an attackby determining whether a host value header entry exists in a packetheader of a data packet. If the host value header entry does not exist,the data packet is discarded. This module is described in more detailbelow.

In yet another preferred embodiment, the attack mitigation module 110keeps a blacklist of source addresses. The blacklist is created, forexample, from prior recorded attacks. If a received data packet, D_(in),contains a source address that is a member of the black list, the packetis blocked or discarded. In this regard, as attacks get moresophisticated, the attackers are able to modify the source address inthe attacking data packets. However, even after changing the sourceaddresses, many of the attacks use data packets that have not changedthe source server or sub-network. The blacklist also tracks suspectservers or sub-networks. In one preferred embodiment, the attackmitigation module 110 discards data packets from a server orsub-networks if, for example, more than a threshold number of attackshave originated from the server or sub-network within the past year. Itshould be noted that any time period might be used, however, for such adetermination.

Preferably, the attack mitigation modules 110 produce a volume of datathat is free of data causing the attack, called clean data, or D_(out),herein, for sending to the one or more second computers 80 a, 80 b, 80 cand 80 d. The amount or volume of the clean data is measured as D_(out),over a time period, P_(out).

The data cleaning center 100 may optionally include a distributionrouter 112, which provides a backbone or clean pipe to other datacleaning centers 100 a, 100 b, 100 c and 100 d following processing bythe attack mitigation modules 110. Preferably, the backbone uses ahigh-speed connection 158 to directly connect each data cleaning center100, 100 a, 100 b, 100 c and 100 d. Providing a connection to other datacleaning centers 100 a, 100 b, 100 c and 100 d allows two or more datacleaning centers to share and distribute processing. For example, somedata cleaning centers have updated attack mitigation modules 110 thatpreferably are remotely accessed by other data cleaning centers thathave not been updated.

Further, if a particular data cleaning center 100 has one or moresubsystems that fail, such as one or more attack mitigation modules 110,then the attack detection and/or mitigation function may be outsourcedto a fully functioning data cleaning center through the distributionrouter 112. Moreover, if one data cleaning center 100 a is overwhelmedby one or several large attacks, processing of the one or more attacksmay be load balanced across the backbone 158 to distribute processingacross the other data cleaning centers 100, 100 b, 100 c and 100 d.

Preferably, after the received data, D_(out), is processed to producethe clean data, D_(out), the next task is to provide the clean data,D_(out), to one or more proxy servers 116. In one preferred embodiment,the proxy servers provide a reverse proxy function to the one or moresecond computers 80 a, 80 b 80 c and 80 d. In this case, the secondcomputers 80 a, 80 b, 80 c, and 80 d comprise server computers. As istypical, the proxy servers 116 provide added protection to the secondcomputers 80 a, 80 b 80 c and 80 d that are server computers. Forexample, a firewall may be included in a proxy server 116 that isspecific to the target server. Further, a server may also use two ormore of the proxy servers 116 to provide load balancing.

In this regard, load balancing of all of the proxy servers 116 ispreferably provided using a load balancing apparatus 114. The loadbalancing apparatus 114 may include, by way of example only, and not byway of limitation, a RADWARE WSD™ device produced by Radware, Inc. ofMahwah, N.J., a JUNIPER™ M series device produced by Juniper Networks,Inc. of Sunnyvale, Calif. Any other similar device may also be used.

In one embodiment, two or more of the load balancing systems 114 areprovided so that different types of systems are available for matchingwith the proxy servers 116 depending on specific requirements. Forexample, software-based load balancing systems 114 tend to be lessexpensive, but slower, than hardware-based load balancing systems 114.Further, a particular sever computer 80 b may, for example, only requirethat the slower software-based load balancing system 114 is used becausethe server 80 b has a lower throughput of clean data, D_(out), thananother server 80 c, which requires a faster, hardware-based, loadbalancing system 114 because of its higher usage.

One or more of the attack mitigation modules 110 may be located in, orexecute on, each of the proxy servers 116. It is preferable, forexample, for those mitigation modules 110 that execute on theapplication layer to reside in the proxy servers 116 after the networklayer packet headers have been stripped. For example, the mitigationmodule 110 that checks for duplicate GET commands is preferably locatedon each of the proxy servers 116.

After the clean data, D_(out), is routed through the proxy servers 116,it is processed by the core router 108 for forwarding to theirdestination over the network 10. The meter 104 takes a measurement ofthe clean data, D_(out), as it is routed out to the core edgeaggregation router 102, which processes the clean data, D_(out), fordistribution through the network 10.

In one embodiment, while the meter 104 performs the task of measuringD_(in) and D_(out), the meter 104 further compares the measurements todetermine whether an attack has been mitigated by the attack mitigationmodules 110. For example, the meter 104 may determine that such anattack directed toward one or more of the second computers 80 a, 80 b,80 c and 80 d has been mitigated if D_(out) divided by P_(out) issubstantially less than D_(in) divided by P_(in).

In preferred embodiments of the claimed invention, there is flexibilitywith regard to this implementation of the detection method. For example,in most embodiments, wherein the time periods. P_(in) and P_(out) arelong enough (e.g., 10 seconds), the measurement of the data D_(in) andD_(out) occurs during the same time interval, wherein the start of timeperiods P_(in) and P_(out) are concurrent. In these embodiments, anylatency, L, that occurs in the one or more data mitigation modules 110,proxy servers 116, or other modules within the data cleaning center 100,would be a matter of microseconds. Accordingly, any difference in themeasurement of D_(in) and D_(out) caused by the latency, L, would berelatively minimal when compared to the data throughput of the datacleaning center 100.

However, in configurations wherein the time periods P_(in) and P_(out)are closer in duration to the latency period, L, for processing of thereceived data, D_(in), the latency period, L, is preferably taken intoaccount in the detection method. In these configurations, it may bedesirable to measure D_(in) and D_(out) over two different, but equal,time periods, P_(in) and P_(out), to account for the latency, L, forprocessing of the received data D_(in) by the attack detection and/ormitigation modules. More specifically, the time period, P_(out), has astart time that occurs after the start time of P_(in), plus a latencytime period, L, for processing of the received data, D_(in), by theattack detection and/or mitigation modules. Typically, the latencyperiod, L, is calculated by using historical averages for processing thereceived data D_(in) by the attack detection and/or mitigation modules110, or other sub-systems within the data cleaning center 100.

Another variable in the implementation of the detection method is themeasure of the value of “substantially less” with regard to thecomparison of D_(out) divided by P_(out) and D_(in) divided by P_(in).For example, in one embodiment, the measure of what is “substantiallyless” to determine if an attack is occurring may be an almost absolutemeasurement. Specifically, D_(out) divided by P_(out) may be deemedsubstantially less than D_(in) divided by P_(in) if (D_(in) divided byP_(in)) minus (D_(out) divided by P_(out)) is greater than 0, plus orminus a number of megabits in high-throughput systems.

However, in another embodiment, D_(out) divided by P_(out) may beconsidered to be substantially less than D_(in) divided by P_(in) if(D_(in) divided by P_(in)) minus (D_(out) divided by P_(out)) is greaterthan a specified threshold value. Preferably, the threshold value isdetermined from historical averages of differences between the values ofthe received data, D_(in) divided by P_(in), and the clean data, D_(out)divided by P_(out), during normal, non-attack time, operations. Thedifferences in the values may be due to processes in the system such ascaching or the like. In this embodiment, the use of the threshold valuemay also provide a method for taking latency, L, into account in thedetermination as to whether there is an attack.

In another preferred embodiment, some of the data D_(in) received fromthe one or more first computers 20 a, 20 b and 20 c is cached after itis cleaned. Subsequently, as is typical in many networked systems, aportion of the received data D_(in) is the same as, or the duplicate of,previously received data D_(in). If the cleaned version, D_(out), of thereceived data is in the cache, then the cached clean data, D_(cache), issent to the one or more second computers 80 a, 80 b, 80 c and 80 d inlieu of a portion of the received data, D_(in). In this embodiment, thecache is mathematically taken into account in determining the meaning of“substantially less.” Specifically, the system determines that D_(out)divided by P_(out) is substantially less than D_(in) divided by P_(in),if ((D_(out) plus D_(cache)) divided by P_(out)) is less than (D_(in)divided by P_(in)). As described above, if the result is a non-zerovalue, a threshold value is used in this embodiment to compare to theresult to allow for non-attack condition variances before an attack isdetermined to have been detected.

In another embodiment, the time periods for P_(in) and P_(out) do notnecessary have to be equal in length, as the comparison of the receiveddata, D_(in), and clean data, D_(out), is normalized due to the divisionby the relative time periods, P_(in) and P_(out), to provide megabit persecond (Mbit/sec) ratios that can be compared. Also in this embodiment,a threshold value is used in the comparison of the ratios to take intoconsideration non-attack condition fluctuations in data rates.

In one embodiment, the meter 104 is more passive and merely records themeasurements of D_(in) over P_(in) and D_(out) over P_(out). Further, itmay be preferable to provide for remote access by a network device, suchas a client computer or workstation 90, to the data cleaning center 100to perform any other calculations necessary to determine if an attack isoccurring. In this embodiment, the remote workstation 90 comprises astandard personal computer or notebook with access to the network 10.Using the workstation 90, components of the data cleaning center 100 arepreferably accessed through a secure connection using known encryptiontechniques. Specifically, the remote workstation 90 may readmeasurements taken by the meter 104 to perform the determination ofwhether an attack is occurring. Using such a workstation 90 provides theadded advantage of allowing the measurements from the meter 104 to bedownloaded, stored, and manipulated in various statistical softwarepackages, such as EXCEL™ by the Microsoft Corp., or OPENVIEW™ by theHewlett-Packard Development Company, L.P.

In one embodiment, an alert apparatus is provided either as a part ofthe meter 104 or the remote workstation 90, to provide an alert if anattack is detected and/or mitigated. Preferably, the alert apparatusprovides, by way of example only and not by way of limitation, anelectronic mail alert, an audible alert, a visible alert, or the like.

Referring now to FIG. 2, a schematic block diagram of various hardwarecomponents of the data cleaning center 100 are shown according toanother preferred embodiment. The data, D_(in), is received by the coreedge router 102. Such a core edge router 102 may comprise a JUNIPER M40™router produced by Juniper Networks of Sunnyvale, Calif. Any similardevice may also be used. The core edge router 102 performs the task offiltering the incoming data packets, D_(in), which comprises thediscarding of all packets using UDP or ICMP protocols. In someinstances, one of the second computers being protected by the datacleaning center 100 may require reception of UDP or ICMP packets. Inthose instances, an administrator at the data cleaning center 100 setsthe core edge router 102 so that UDP or ICMP data packets received forthe particular second computer are allowed to pass through the datacleaning center 100. Nevertheless, the attack mitigation modules 110described herein can sufficiently protect the second computer 80receiving UDP and ICMP packets from various attacks.

Preferably, the core router 108 is, by way of example only, a BIG IRON™4000 router available from Foundry Networks of San Jose, Calif., whichprovides network layer three packet switching. In some embodiments, morethan one router is used to perform the functions of the core router 108.For example, one BIG IRON™ 4000 system may be used to process thereceived data, D_(in), and another may be used to process the cleandata, D_(out).

From the core router 108, the received data, D_(in), may pass throughthe meter 104. In one preferred embodiment, the meter 104 comprises, byway of example only, a NET IRON 800™ monitor, which provides a gigabitlayer three switch that can monitor the received data, D_(in). As statedabove, the meter 104 also may be configured to monitor the clean data,D_(out) that is outgoing back to the network 10 after passing throughthe other components of the data cleaning center 100. In this way, themeter 104 provides a “mirrored image” observation of data D_(in), beingreceived by the data cleaning center, and the corresponding clean data,D_(out), being produced by the data cleaning center 100.

In one preferred embodiment, over and above the measurement of D_(in)verses D_(out), the NET IRON 800™ performs some of the functions of thedata mitigation modules 110. For example, a SYN-flood attack detectormay be included in the meter 104. The meter 104 sorts and counts thereceived data packets, D_(in), according to their sources anddestinations, and count the number of packets marked with an “S” forsend packets verses the number of other types of packets over the sameperiod of time, P_(in), such as acknowledge (ACK) packets. If the numberof send packets over other types of packets is more than a threshold,for example, 20% more, then a possible attack may have been detected,and an alert may be provided by the alert apparatus.

In some situations, however, it is preferable to use dedicated computerhardware systems on the local fiber network 150 to perform the attackdetection and/or mitigation functions. For example, one of the attackmitigation modules 110 may comprise, by way of example only, and not byway of limitation, an ATTACK MITIGATOR IPS 2800™ or ATTACK MITIGATOR IPS5500™, which are each available from Top Layer Networks of Westborough,Mass. The ATTACK MITIGATOR IPS 5500™ blocks HTTP worms and other hybridthreats, using advanced “normalized” deep packet and multi-packet HTTPURL matching and wildcard checking, and is pre-configured to identifyhundreds of HTTP URL exploits, including DoS and DDoS attacks, andtrojan horses.

In another preferred embodiment, one ATTACK MITIGATOR IPS™ 5500 containsseveral or all of the attack mitigation modules 110. However, two ormore of the ATTACK MITIGATOR IPS 5500™s, shown as 110 a, 110 b, 110 cand 100 d in FIG. 2, are duplicated in the local fiber network 150 toallow load balancing to provide higher output. Open Shortest Path First(OSPF) routing protocol also may be used, and is able to determine if alink to an attack mitigation module 110 a or 110 b in the local fibernetwork 150 is down, so that the received data, D_(in), may be re-routedto other attack mitigation modules 110 c or 110 d performing the samefunction.

Another router 130 may be used to re-aggregate the load balanced data,D_(in), which, for the most part, is characterized as clean data,D_(out), when it reaches the router 130. Another NET IRON 800™, or NETIRON 400™ offered from the same manufacturer, may be used to performthis function. In some embodiments, the router 130 may comprise anaggregate of several routers 130 a and 130 b.

Optionally, further attack mitigation modules 110 e and 110 f are usedafter re-aggregation of the data. For example, the attack mitigationmodules 110 e and 110 f preferably comprise available firewall systemsto further ensure that the data, D_(out), is free of data packets sentas part of an attack. If the firewalls 110 e and 110 f are loadbalanced, then a router 160, such as a NetIron 800 or 400 may be used tore-aggregate the data. In higher volume systems, the re-aggregationprocess may be split between two or more routers 160 a and 160 b.

After the clean data, D_(out), is re-aggregated, it is ready to be loadbalanced and apportioned to proxy servers 116. In the embodiment shownin FIG. 2, the load balancing apparatus 114 comprises a cluster of loadbalancing systems 114 a and 114 b. In one embodiment, each loadbalancing system of the cluster 114 comprises, by way of example only,one of the aforementioned RADWARE WSD™ devices, Foundry SERVER IRON™devices, and Dell POWEREDGE™ devices. The brand selection of each of theload balancing devices 114 a and 114 b mainly depends on the number ofproxy servers serviced by the device and the total throughput required.For example, some hardware-based systems, such as the RADWARE WSD™device, operate faster than some software based systems, such as theFoundry SERVER IRON™ device.

Preferably, the clean data, D_(out), is then transmitted over the localnetwork 150 back to the core router 108, and then core edge router 102.The proxy servers 116 may be divided into clusters, wherein the proxyservers within each of the clusters are load balanced by one of the loadbalancing devices 114.

As described with respect to FIG. 1, one or more of the attackmitigation modules 110 may be executed on each of the proxy servers, assymbolically shown as 110 g in FIG. 2.

In some embodiments, each and every component illustrated in FIG. 2 mayeither be combined into one processor or computer that has multipleprocessors, and/or software processors, to process the functionsdescribed above. In other embodiments, the processing for all, or atleast some of, the components may be expanded across multiple hardwaredevices for processing in parallel. As an example, in some embodiments,only one load balancing device 114 may be required if only a few proxyservers 116 are needed in the data cleaning center 100. Further, theproxy servers 116 may be combined into one multiplexing device thatprovides proxy services for several servers.

Methods Performed by the Data Cleaning Center

Referring now to FIG. 3, a flow diagram is shown that illustrates thesteps performed by one or more exemplary preferred embodiments of thedata cleaning center 100. Specifically, the flow diagram illustrates thesteps performed in a method for detecting and mitigating an attack,overload condition, or attempted overload condition (collectivelyreferred to as an “attack”) that may originate from one or more firstcomputers, targeting one or more of a plurality of second computerslocated on a network. A volume of data, D_(in), is received over a timeperiod, P_(in), from one or more first computers located on a network,step 300. The data packets of the received data, D_(in), is filtered todiscard data packets using UDP and ICMP protocols, with the exceptionthat the UDP and ICMP packets directed to destination addressesrequiring those protocols are not discarded, step 302. The remainingreceived data packets, D_(in), are measured by the meter over a timeperiod, P_(in), step 304.

The received data packets, D_(in), are processed through the attackmitigation modules to detect and mitigate the attack, step 306, toproduce a volume of clean data, D_(out), over a time period, P_(out),wherein the time period, P_(out), may be equal to the time period,P_(in). The clean data, D_(out), is load balanced, step 308, andprocessed by the proxy servers, step 310. The clean data, D_(out), overthe time period, P_(out), is measured, step 312. The presence or absenceof the attack targeting the one or more second computers is determinedby calculating whether D_(out) divided by P_(out) is substantially lessthan D_(in) divided by P_(in), step 314. Finally, the clean data,D_(out), is distributed over the network to the one or more secondcomputers, step 316.

Referring now to FIG. 4, a preferred embodiment method is shown of anattack mitigation module for detecting an attack, based on whether asuspect number of duplicate GET commands, or commands requesting thesame information, are received from one or more first computerstargeting one or more second computers on a network over a sample timeperiod. However, it should be noted that duplicates or patterns in theheader may also be detected by this method.

The attack mitigation module may be included for use in a data cleaningcenter protecting a plurality of computer systems, such as that shown inFIG. 1. Preferably, the method of FIG. 4 is executed on each of theproxy servers (116 of FIG. 1). However, the attack mitigation module maybe used in a stand-alone device or computer system on the network toprotect one or a few server computers, and may be implemented insoftware, hardware, or in a programmable logic chip, such as anapplication specific integrated circuit (ASIC), field programmable gatearray (FPGA), or the like.

A network connection (e.g., the network edge router of FIG. 1), receivesa plurality of data packets, wherein many of the data packets maycomprise GET commands, from the one or more first computers located onthe network, step 400. Each GET command is stored in a database for aperiod of time, step 402, which is preferably determined according to astatistical history of the length of time needed to collect a sufficientnumber of GET commands to sample, and the capacity of the storage deviceused to store the GET commands. For example, for a system processing upto 10 gigabits per second, and having a network storage device with acapacity of two or more hundred gigabytes set aside for the attackmitigation module's storage, the sample period to store GET commands mayeasily be 10 seconds, without taxing the system.

The attack mitigation module counts the number of duplicate GET commandsthat have been received and stored over the sample period, step 404. Ifthe number of duplicate GET commands exceeds a threshold value, step406, the attack mitigation module may deem an attack to have beendetected, step 408. In this embodiment, the attack mitigation moduleblocks and discards any further duplicate GET commands received from thenetwork, step 410. A message may be sent to a reporting system thatalerts an administrator that a GET-flood type attack may be underway,step 411. The message may be in the form of, without limitation, anelectronic mail, voice mail, or an audio or visual alert on anadministrator's computer system.

Alternatively, if the threshold is not exceeded, the stored GET commandsare cleared from storage, step 412, and processing moves back to step400. In some embodiments, not all of the GET commands are captured andstored over the sample period, but a statistically relevant number ofsampled GET commands are copied and stored in order to save onprocessing time and storage.

Still, in other embodiments, in order to save storage space andprocessing time, a hash, or reduction, function may be performed on eachof the GET commands, the results of which are stored and sorted into ahash table in step 402. The hash function may reduce each GET command toa smaller amount of data for evaluation. If the standard deviation ofthe entries in the hash table, measured in step 404, meets a thresholdvalue, which is checked in step 406 (for being lower in someembodiments, or higher in other embodiments), then a network attack maybe detected.

Referring to FIG. 5, a flow diagram is shown that illustrates a methodperformed by one preferred embodiment of an attack mitigation module fordetecting and/or mitigating an attack by discarding data packets thathave packet headers with a suspect user agent, or User-Agent, entry. Theattack mitigation module may be included for use in a data cleaningcenter protecting a plurality of computer systems, such as that shown inFIG. 1. Preferably, the method of FIG. 5 is executed on each of theproxy servers (116 of FIG. 1). However, the attack mitigation module maybe used in a stand-alone device or computer system on the network toprotect one or a few server computers, and may be implemented insoftware, hardware, or in a programmable logic chip, such as an ASIC,field programmable gate array (FPGA), or the like.

In standard Internet HTTP protocol, each data packet received has aheader portion, having a user agent entry. When the attack mitigationmodule receives a data packet, step 500, it reads the user agent entry,step 502. It next determines whether the user agent entry contains aproper value, step 504. For example, a proper user agent header entrymay resemble the following sample:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

In most cases, an improper user agent entry is one that does not containan alphabetical character. Many viral or other types of attacks onnetwork systems send data packets that have non-alphabetical, orsometimes blank, user agent entries.

If the entry is improper, the session from which the data packet wassent is discarded or ended, step 506. A reporting system may alert anadministrator that there was a potential attack, step 508.

If the User-Agent value is proper, then the session is not discarded,and if no other attack mitigation modules prevent processing, the proxyserver processes the packets in the session, step 516.

As shown in FIG. 6, a preferred embodiment method of an attackmitigation module that detects and/or mitigates an attack is performedby discarding data packets that have packet headers with suspect hostvalue entries. Preferably, the attack mitigation module is included foruse in a data cleaning center protecting a plurality of computersystems, such as that described in FIG. 1. Preferably, the method ofFIG. 6 is executed on each of the proxy servers (116 of FIG. 1).However, the attack mitigation module may be used in a stand-alonedevice or computer system on the network to protect one or a few servercomputers, and may be implemented in software, hardware, or in aprogrammable logic chip, such as an ASIC, field programmable gate array(FPGA), or the like.

In standard Internet HTTP protocol, each data packet received has aheader portion, having a host value entry. The host value entry isrequired by HTTP protocol to represent the naming authority of theorigin server or gateway given by the original uniform resource locator(URL). This allows the origin server or gateway to differentiate betweeninternally-ambiguous URLs, such as the root “/” URL of a server formultiple host names on a single IP address.

When the attack mitigation module receives a data packet, step 600, itreads the host value entry, step 602. It next determines whether thehost value entry contains a proper value, step 604. For example, aproper user host value header entry may resemble the following sample:

Host=“Host” “:” host [“:” port]

In most cases an improper host value entry is one that is blank. Manyviral or other types of attacks on network systems send data packets,which have blank host value entries.

If the entry is improper, the session from which the data packet wassent is discarded or ended, step 606. A reporting system may alert anadministrator that there was a potential attack, step 608.

If the host value entry is proper, then the session is not discarded,and if no other attack mitigation modules prevent processing, the proxyserver processes the packets in the session, step 616.

Referring now to FIG. 7, a flow diagram is shown that illustrates amethod performed in one exemplary embodiment of an attack mitigationmodule for detecting and/or mitigating an attack by discarding datapackets that use improper end-of-line or return characters. Preferably,the attack mitigation module is included for use in a data cleaningcenter protecting a plurality of computer systems, such as thatdescribed in FIG. 1. Preferably, the method of FIG. 7 is executed oneach of the proxy servers (116 of FIG. 1). However, the attackmitigation module may be used in a stand-alone device or computer systemon the network to protect one or a few server computers, and may beimplemented in software, hardware, or in a programmable logic chip, suchas an ASIC, field programmable gate array (FPGA), or the like.

In standard Internet HTTP protocol, the structures of data packets arerequired to include full control-return (CR) and linefeed (LF)characters. The standard specifically states that a bare CR or LF shouldnot be substituted for a full CRLF within any of the HTTP controlstructures. Web browsers must send CRLF as a line break indicator underthe standard. If the session does not use CRLF, the session is rejected.

When the attack mitigation module receives a data packet, step 700, itreads the line break characters, step 702. It next determines whetherthe line break characters are proper, step 704. In most cases animproper line break character is one that that is merely a CR or LF, andnot a full CRLF. Many viral or other types of attacks on network systemssend data packets, which have merely CR or LF line breaks.

If a line break is improper, the session from which the data packet wassent is discarded or ended, step 706. A reporting system may alert anadministrator that there was a potential attack, step 708.

If the host value entry is proper, then the session is not discarded,and if no other attack mitigation modules prevent processing, the proxyserver processes the packets in the session, step 716.

Clean Data Redirection

Referring again to FIG. 1, with some applications of the data cleaningcenter, the latency involved in using proxy servers to proxy every datapacket that is sent from a first computer (e.g. 20 c) to a secondcomputer (e.g. 80 a) may slow down communications between the firstcomputer 20 c and the second computer 80 a. When the first computer 20 cand second computer 80 a are physically within the same region of theworld on the Internet, the latency involved in using the proxy servers116, or any proxy server, within the same region may not add very muchrelevant communication time.

However, there is a unique problem that arises when, for example, thefirst computer 20 c and the second computer 80 a are located in the sameregion, for example in Australia, and the data cleaning center 100 islocated in, for example, the United States. In this case, if the secondcomputer 80 a is a real-time processing server, the latency periodrequired for each packet sent between the first computer 20 c and thesecond computer 80 a to be sent through a proxy server 116 in the datacleaning center, or any proxy server in the United States for thatmatter, could degrade performance of time-critical or real-timeapplications. However, administrators at the second computer 80 a maystill desire to take advantage of the attack protection system andmethods of the data cleaning center 100.

Referring now to FIG. 8, a method is shown for preventing an attemptedoverload condition targeting a networked computer system that lessens oreliminates the latency effect of using the data cleaning center (e.g.,100 in FIG. 1) to protect the second computer (e.g., 80 a in FIG. 1).Just as is the normal case when the first computer (e.g. 20 c in FIG. 1)requires access to the second computer, the data cleaning center mayreceive one or more initial data packets from the first computer forprocessing by a second computer, step 800. For example, the one or moreinitial data packets may comprise session initiating data packets sothat the first computer may initiate contract with, and set up a sessionfor using, the second computer.

In one embodiment, the data cleaning center redirects the firstcomputers to send the one or more initial data packets to a thirdcomputer, step 802, which may comprise a proxy server (116 in FIG. 1)within or proximate to the data cleaning center, or another computerthat may or may not be remote from the data cleaning center. The thirdcomputer is designated to receive traffic from the first computer untilthe first computer is verified not to comprise an attacking system.

The attack mitigation modules 110 process the initial data packets todetermine whether the one or more initial data packets are legitimate,and not a part of, for example, an attack on the second computer, step804. If the attack mitigation modules determine that the initial datapackets are not a part of an attempted overload condition 110, step 806,then the first computer is redirected to send subsequent data packetsdirectly to the second computer, step 808, thereby eliminating anylatency that would be associated with continuing to process subsequentdata packets in the data cleaning center.

With this embodiment and the use of the data cleaning center, there isconcern that an attack may escape detection by delaying the attack untilafter the initial data packets are processed. In order to lessen thispossibility, the second computer is configured with one or more localattack detection and/or mitigation modules that are at the leastconfigured to detect such subsequent attacks, step 810. For example, aSYN-Flood mitigation module may be installed on the second computer, ora version of the data 100 center of FIG. 1 may be installed. If asubsequent attack is detected, step 812, then processing of allsubsequent data packets is redirected back to the data cleaning centerto use attack mitigation modules and proxy servers to clean the databefore processing by the second computer, step 814.

In some embodiments, the domain name of the third computer has adifferent prefix than the domain name of the second computer. Forexample, the second computer may have a prefix of www, and the domainname of the third computer may have a prefix of wwwn, wherein n is anumeric value. This way, the main body of the domain name could be thesame so that users do not become confused to think that they have beenredirected to the wrong server computer.

In one preferred embodiment, the method of the attack mitigation moduleincludes determining whether the initial data packets are a part of anattack. The attack mitigation module determines whether each receivedinitial data packet is from a browser executing on the first computer.For example, this can be checked by attempting to write one or morecookies to the one or more first computers. Viruses running on the firstcomputer, for example, sending data packets to the second computercurrently do not have the ability to accept cookie files from the secondcomputer. The failure to write the cookie file could indicate theinitial data packets are a part of the attack, and the subsequent datapackets should not be redirected to the second computer.

In another preferred embodiment, another way of determining whether thenetwork connection has received the initial data packets from a browserexecuting on the first computer comprises presenting text, in adistorted image, or other human only readable test, to be typed into theone or more browsers by one or more users. An example of a human-onlyreadable challenge is used, by way of example only, by Yahoo!, Inc. ofSunnyvale, Calif., in their user-mail registration systems. Otherhuman-only readable challenges are also known (e.g., ticket master, andthe like): If the second computer receives an incorrect response thatdoes not satisfy the human-only challenge, or if there is no response atall, as would be the case with most viruses, then an attack could beindicated, and the subsequent data packets should not be redirected tothe second computer.

DNS Attack Mitigation

Another preferred embodiment relates to a system and method fordetecting and/or mitigating an attack targeting a domain name service(DNS) server. The DNS server may operate remotely from the systemprotecting it, as is the case with respect to one or more secondcomputers described in FIG. 1. A pre-processing system for the DNSserver is provided to absorb, to detect and to mitigate attacks.However, in some configurations, the DNS server may use its ownprotection system embodied in a separate processor connected between thenetwork and the DNS server, or in a local processor embedded within theDNS server itself.

FIG. 9 illustrates an embodiment of the DNS server protection system 900to protect a DNS server 30. A network connection 126 is provided forreceiving one or more DNS requests from one or more client computers 22a, 22 b and 22 c located on the network 10. A preferred embodimentincludes a processor 902, separate from that normally used by the DNSserver 30, for providing a response for the one or more DNS requests tothe one or more client computers 22 a, 22 b and 22 c before or insteadof normal processing by the DNS server 30.

In one embodiment, the processor 902 protects two or more load balancedDNS servers 30. A load balancing router 950 performs load balancingbetween the DNS servers 30.

Preferably, the added processor 902 monitors the volume of requestsreceived per second to the DNS servers 30. If a threshold volume isdetected, then processing of the DNS requests is diverted to theprocessor 902.

Referring now to FIG. 10, a flow diagram is shown that illustrates apreferred method preformed by the DNS protection system for detectingand/or mitigating an attack targeting the DNS server. One or more DNSrequests are received from the one or more client computers located on anetwork, step 1000. The processor 902 checks for whether the request isdirected to port 53, step 1002. All requests not directed to part 53 arediscarded, step 1004. A sanity check is performed on the request, whichdetermines whether DNS standard request requirements are met in therequest, step 1006. Standards for DNS requirements may be found bycontacting the Internet Engineering. Task Force (www.IETF.org).Specifically, standards may be viewed in the request for comments (RFC)section of the IETF web site. If the request does not comply with DNSrequirements, the request is discarded, step 1004.

Next, the processor 902 determines whether the request is for a domainname on a list of valid domain names for the DNS server, step 1008. Ifnot, then the request is discarded, step 1004.

If the request is not discarded, the processor 902 places the request ina database, step 1010. The database may be keyed by the source address,and target domain name requested. Further, a hit count is kept in thedatabase to count the number of (duplicate) requests for each sourceaddress and request.

The processor 902 checks for whether the recorded hit count for therequest exceeds a threshold for the number of requests over a period oftime (for example, over the last ten seconds), step 1212. The thresholdis based on the capacity of the DNS sever(s) 30. If the threshold isexceeded, then the processor 902 itself services all requests for theparticular source address and target domain requested until the hitcount is reduced, step 1014. If necessary, the processor 902 makes arequest to the DNS server 30 to obtain the IP address to answer therequest. However, in one embodiment, the required information is kept ina memory in the DNS protection system 900.

Otherwise, if the hit count threshold is not exceeded, the DNS sever(s)30 process the request directly, step 1016.

Referring again to FIG. 9, the processor 902 is preferably configured toexecute instructions as fast as possible, given the size and speed ofattacks that typically are to be handled by the processor. Thus, in apreferred embodiment, the instructions to respond to requests are builtdirectly into the chip logic of the processor 902. The list of validdomain names may be stored in a database 912 in a high-speed memory 920in the DNS protection system 900. The high-speed memory 920 ispreferably connected to the processor 902 through a high-speed data bus922 Further, the database of received requests and hit counts are storedin a sorted database 914 located in the high-speed memory 920.

A cache 916 of requests previously processed by the DNS server 30 may bestored in the memory 920 so that the processor 902 may perform step 1014of FIG. 10 without the need to make a special request to the DNSserver(s) 30.

It will be apparent from the foregoing that, while particular forms ofthe invention have been illustrated and described, various modificationscan be made without departing from the spirit and scope of theinvention. Accordingly, it is not intended that the invention belimited, except as by the appended claims.

1. A system for detecting and mitigating an attempted overload conditiontargeting a domain name server, comprising: a network connection forreceiving a plurality of DNS requests from one or more client computerslocated on a network, the plurality of DNS requests directed to a DNSserver; and a processor for providing a response to the plurality of DNSrequests to the one or more client computers, instead of the DNS server,if the processor detects that a threshold number of the plurality of DNSrequests received over a time period are substantially duplicate.
 2. Thesystem of claim 1, wherein the processor discards any of the DNSrequests that are not directed to port
 53. 3. The system of claim 1,wherein the processor discards any DNS request that does not pass a DNSsanity check.
 4. The system of claim 1, wherein the processor discardseach request containing a domain name that is not on a list as a validdomain name.
 5. The system of claim 1, wherein the processor detectswhether a threshold number of DNS requests are duplicate by storing thereceived requests in a database, counting the number of requests for adomain name from the same source to produce a hit count over a period oftime, and comparing the hit count against a threshold value.
 6. Thesystem of claim 5, wherein the processor detects whether a thresholdnumber of DNS requests are duplicate for two or more domain names toproduce a hit count over a period of time for each of the two or moredomain names.
 7. A system for detecting an attempted overload conditiontargeting a networked computer system, comprising: a network connectionfor receiving a data packet having an HTTP header; and an attackdetection module to determine whether a user agent header entry in theHTTP header contains a non-alphabetical character.
 8. The system ofclaim 7, further comprising an attack mitigation module to discard thedata packet if the user agent header entry contains a non-alphabeticalcharacter.
 9. A system for detecting an attempted overload conditiontargeting a networked computer system, comprising: a network connectionfor receiving a data packet having an HTTP header; and an attackdetection module to determine whether a host value header entry existsin the HTTP header.
 10. The system of claim 9, wherein the attackmitigation module discards the data packet if the host value headerentry does not exist in the HTTP header.
 11. A system for detecting anattempted overload condition targeting a networked computer system,comprising: a network connection for receiving a data packet; and anattack detection module to determine whether the contents of the datapacket include a valid line break indicator.
 12. The system of claim 11,further comprising an attack mitigation module to discard the datapacket if the contents of the data packet do not include a valid linebreak indicator.
 13. A system for mitigating an overload conditiontargeting a networked computer system, comprising: a network connectionfor receiving a plurality of data packets from one or more firstcomputers located on a network, the data packets including a pluralityof GET commands directed toward one or more second computers located onthe network; and an attack mitigation module to determine whether anumber of duplicate GET commands that have been received-exceeds athreshold value.
 14. The system of claim 13, wherein the attackmitigation module blocks the duplicate GET commands if the thresholdvalue is exceeded.
 15. The system of claim 13, wherein the attackmitigation module performs a hash function on the received GET commandsto determine if the GET commands are duplicates.
 16. A system forpreventing an attempted overload condition targeting a networkedcomputer system, comprising: a network connection for receiving one ormore initial data packets from one or more first computers forprocessing by a second computer; a redirection module to redirect thefirst computer to send the one or more initial data packets to a thirdcomputer; an attack detection module to determine whether the one ormore initial data packets are a part of an attempted overload condition;and wherein the redirection module redirects the one or more firstcomputers to send one or more subsequent data packets directly to thesecond computer if the attack detection module determines that theinitial data packets are not a part of an attempted overload condition.17. The system of claim 16, wherein the domain name of the thirdcomputer has a different prefix than the domain name of the secondcomputer.
 18. The system of claim 17, wherein the domain name of thesecond computer has a prefix of www, and the domain name of the thirdcomputer has a prefix of wwwn, wherein n is a numeric value.
 19. Thesystem of claim 16, wherein the attack detection module determineswhether the one or more initial data packets are a part of the attemptedoverload condition by determining whether the network connection hasreceived the one or more initial data packets from one or more browsersexecuting on the one or more first computers.
 20. The system of claim19, wherein the attack detection module determines whether the networkconnection has received the one or more initial data packets from one ormore browsers executing on the one or more first computers by attemptingto write one or more cookies to the one or more first computers.
 21. Thesystem of claim 19, wherein the attack detection module determineswhether the network connection has received the one or more initial datapackets from one or more browsers executing on the one or more firstcomputers by providing a representation of text, in a non-machinereadable format, to be typed into the one or more browsers by one ormore users.
 22. A system for preventing an attempted overload conditiontargeting a networked computer system, comprising: a network connectionfor receiving one or more initial data packets from one or more firstcomputers for processing by one or more second computers; a redirectionmodule to redirect the one or more first computers to send the one ormore initial data packets to one or more third computers; an attackdetection module to determine whether the one or more initial datapackets are a part of an attempted overload condition; and wherein theredirection module redirects the one or more first computers to send oneor more subsequent data packets directly to the one or more secondcomputers if the attack detection module determines that the initialdata packets are not a part of an attempted overload condition.